1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21#include "qemu/osdep.h"
22#include "qemu/error-report.h"
23#include "qapi/error.h"
24#include "qemu/timer.h"
25#include "hw/usb.h"
26#include "sysemu/bt.h"
27#include "hw/bt.h"
28#include "qapi/qmp/qerror.h"
29#include "sysemu/replay.h"
30#include "qemu/cutils.h"
31
32struct bt_hci_s {
33 uint8_t *(*evt_packet)(void *opaque);
34 void (*evt_submit)(void *opaque, int len);
35 void *opaque;
36 uint8_t evt_buf[256];
37
38 uint8_t acl_buf[4096];
39 int acl_len;
40
41 uint16_t asb_handle;
42 uint16_t psb_handle;
43
44 int last_cmd;
45
46 struct bt_device_s *conn_req_host;
47
48 struct {
49 int inquire;
50 int periodic;
51 int responses_left;
52 int responses;
53 QEMUTimer *inquiry_done;
54 QEMUTimer *inquiry_next;
55 int inquiry_length;
56 int inquiry_period;
57 int inquiry_mode;
58
59#define HCI_HANDLE_OFFSET 0x20
60#define HCI_HANDLES_MAX 0x10
61 struct bt_hci_master_link_s {
62 struct bt_link_s *link;
63 void (*lmp_acl_data)(struct bt_link_s *link,
64 const uint8_t *data, int start, int len);
65 QEMUTimer *acl_mode_timer;
66 } handle[HCI_HANDLES_MAX];
67 uint32_t role_bmp;
68 int last_handle;
69 int connecting;
70 bdaddr_t awaiting_bdaddr[HCI_HANDLES_MAX];
71 } lm;
72
73 uint8_t event_mask[8];
74 uint16_t voice_setting;
75 uint16_t conn_accept_tout;
76 QEMUTimer *conn_accept_timer;
77
78 struct HCIInfo info;
79 struct bt_device_s device;
80
81 Error *replay_blocker;
82};
83
84#define DEFAULT_RSSI_DBM 20
85
86#define hci_from_info(ptr) container_of((ptr), struct bt_hci_s, info)
87#define hci_from_device(ptr) container_of((ptr), struct bt_hci_s, device)
88
89struct bt_hci_link_s {
90 struct bt_link_s btlink;
91 uint16_t handle;
92};
93
94
95#if 0
96static void bt_submit_lmp(struct bt_device_s *bt, int length, uint8_t *data)
97{
98 int resp, resplen, error, op, tr;
99 uint8_t respdata[17];
100
101 if (length < 1)
102 return;
103
104 tr = *data & 1;
105 op = *(data ++) >> 1;
106 resp = LMP_ACCEPTED;
107 resplen = 2;
108 respdata[1] = op;
109 error = 0;
110 length --;
111
112 if (op >= 0x7c) {
113 op |= *(data ++) << 8;
114 resp = LMP_ACCEPTED_EXT;
115 resplen = 4;
116 respdata[0] = op >> 8;
117 respdata[1] = op & 0xff;
118 length --;
119 }
120
121 switch (op) {
122 case LMP_ACCEPTED:
123
124
125 if (length < 1) {
126 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
127 goto not_accepted;
128 }
129 resp = 0;
130 break;
131
132 case LMP_ACCEPTED_EXT:
133
134
135
136 if (length < 2) {
137 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
138 goto not_accepted;
139 }
140 resp = 0;
141 break;
142
143 case LMP_NOT_ACCEPTED:
144
145
146
147 if (length < 2) {
148 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
149 goto not_accepted;
150 }
151 resp = 0;
152 break;
153
154 case LMP_NOT_ACCEPTED_EXT:
155
156
157
158
159 if (length < 3) {
160 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
161 goto not_accepted;
162 }
163 resp = 0;
164 break;
165
166 case LMP_HOST_CONNECTION_REQ:
167 break;
168
169 case LMP_SETUP_COMPLETE:
170 resp = LMP_SETUP_COMPLETE;
171 resplen = 1;
172 bt->setup = 1;
173 break;
174
175 case LMP_DETACH:
176
177
178 if (length < 1) {
179 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
180 goto not_accepted;
181 }
182 bt->setup = 0;
183 resp = 0;
184 break;
185
186 case LMP_SUPERVISION_TIMEOUT:
187
188
189 if (length < 2) {
190 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
191 goto not_accepted;
192 }
193 resp = 0;
194 break;
195
196 case LMP_QUALITY_OF_SERVICE:
197 resp = 0;
198
199 case LMP_QOS_REQ:
200
201
202
203 if (length < 3) {
204 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
205 goto not_accepted;
206 }
207 break;
208
209 case LMP_MAX_SLOT:
210 resp = 0;
211
212 case LMP_MAX_SLOT_REQ:
213
214
215 if (length < 1) {
216 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
217 goto not_accepted;
218 }
219 break;
220
221 case LMP_AU_RAND:
222 case LMP_IN_RAND:
223 case LMP_COMB_KEY:
224
225
226 if (length < 16) {
227 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
228 goto not_accepted;
229 }
230 if (op == LMP_AU_RAND) {
231 if (bt->key_present) {
232 resp = LMP_SRES;
233 resplen = 5;
234
235 } else {
236 error = HCI_PIN_OR_KEY_MISSING;
237 goto not_accepted;
238 }
239 } else if (op == LMP_IN_RAND) {
240 error = HCI_PAIRING_NOT_ALLOWED;
241 goto not_accepted;
242 } else {
243
244 resp = LMP_UNIT_KEY;
245 resplen = 17;
246 memcpy(respdata + 1, bt->key, 16);
247
248 error = HCI_UNIT_LINK_KEY_USED;
249 goto not_accepted;
250 }
251 break;
252
253 case LMP_UNIT_KEY:
254
255
256 if (length < 16) {
257 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
258 goto not_accepted;
259 }
260 memcpy(bt->key, data, 16);
261 bt->key_present = 1;
262 break;
263
264 case LMP_SRES:
265
266
267 if (length < 4) {
268 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
269 goto not_accepted;
270 }
271 break;
272
273 case LMP_CLKOFFSET_REQ:
274 resp = LMP_CLKOFFSET_RES;
275 resplen = 3;
276 respdata[1] = 0x33;
277 respdata[2] = 0x33;
278 break;
279
280 case LMP_CLKOFFSET_RES:
281
282
283
284 if (length < 2) {
285 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
286 goto not_accepted;
287 }
288 break;
289
290 case LMP_VERSION_REQ:
291 case LMP_VERSION_RES:
292
293
294
295
296 if (length < 5) {
297 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
298 goto not_accepted;
299 }
300 if (op == LMP_VERSION_REQ) {
301 resp = LMP_VERSION_RES;
302 resplen = 6;
303 respdata[1] = 0x20;
304 respdata[2] = 0xff;
305 respdata[3] = 0xff;
306 respdata[4] = 0xff;
307 respdata[5] = 0xff;
308 } else
309 resp = 0;
310 break;
311
312 case LMP_FEATURES_REQ:
313 case LMP_FEATURES_RES:
314
315
316 if (length < 8) {
317 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
318 goto not_accepted;
319 }
320 if (op == LMP_FEATURES_REQ) {
321 resp = LMP_FEATURES_RES;
322 resplen = 9;
323 respdata[1] = (bt->lmp_caps >> 0) & 0xff;
324 respdata[2] = (bt->lmp_caps >> 8) & 0xff;
325 respdata[3] = (bt->lmp_caps >> 16) & 0xff;
326 respdata[4] = (bt->lmp_caps >> 24) & 0xff;
327 respdata[5] = (bt->lmp_caps >> 32) & 0xff;
328 respdata[6] = (bt->lmp_caps >> 40) & 0xff;
329 respdata[7] = (bt->lmp_caps >> 48) & 0xff;
330 respdata[8] = (bt->lmp_caps >> 56) & 0xff;
331 } else
332 resp = 0;
333 break;
334
335 case LMP_NAME_REQ:
336
337
338 if (length < 1) {
339 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
340 goto not_accepted;
341 }
342 resp = LMP_NAME_RES;
343 resplen = 17;
344 respdata[1] = data[0];
345 respdata[2] = strlen(bt->lmp_name);
346 memset(respdata + 3, 0x00, 14);
347 if (respdata[2] > respdata[1])
348 memcpy(respdata + 3, bt->lmp_name + respdata[1],
349 respdata[2] - respdata[1]);
350 break;
351
352 case LMP_NAME_RES:
353
354
355
356
357 if (length < 16) {
358 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
359 goto not_accepted;
360 }
361 resp = 0;
362 break;
363
364 default:
365 error = HCI_UNKNOWN_LMP_PDU;
366
367 not_accepted:
368 if (op >> 8) {
369 resp = LMP_NOT_ACCEPTED_EXT;
370 resplen = 5;
371 respdata[0] = op >> 8;
372 respdata[1] = op & 0xff;
373 respdata[2] = error;
374 } else {
375 resp = LMP_NOT_ACCEPTED;
376 resplen = 3;
377 respdata[0] = op & 0xff;
378 respdata[1] = error;
379 }
380 }
381
382 if (resp == 0)
383 return;
384
385 if (resp >> 8) {
386 respdata[0] = resp >> 8;
387 respdata[1] = resp & 0xff;
388 } else
389 respdata[0] = resp & 0xff;
390
391 respdata[0] <<= 1;
392 respdata[0] |= tr;
393}
394
395static void bt_submit_raw_acl(struct bt_piconet_s *net, int length, uint8_t *data)
396{
397 struct bt_device_s *slave;
398 if (length < 1)
399 return;
400
401 slave = 0;
402#if 0
403 slave = net->slave;
404#endif
405
406 switch (data[0] & 3) {
407 case LLID_ACLC:
408 bt_submit_lmp(slave, length - 1, data + 1);
409 break;
410 case LLID_ACLU_START:
411#if 0
412 bt_sumbit_l2cap(slave, length - 1, data + 1, (data[0] >> 2) & 1);
413 breka;
414#endif
415 default:
416 case LLID_ACLU_CONT:
417 break;
418 }
419}
420#endif
421
422
423
424
425
426
427
428
429#define HNDL(raw) cpu_to_le16(raw)
430
431static const uint8_t bt_event_reserved_mask[8] = {
432 0xff, 0x9f, 0xfb, 0xff, 0x07, 0x18, 0x00, 0x00,
433};
434
435
436static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, int len)
437{
438}
439
440static int null_hci_addr_set(struct HCIInfo *hci, const uint8_t *bd_addr)
441{
442 return -ENOTSUP;
443}
444
445struct HCIInfo null_hci = {
446 .cmd_send = null_hci_send,
447 .sco_send = null_hci_send,
448 .acl_send = null_hci_send,
449 .bdaddr_set = null_hci_addr_set,
450};
451
452
453static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,
454 int evt, int len)
455{
456 uint8_t *packet, mask;
457 int mask_byte;
458
459 if (len > 255) {
460 error_report("%s: HCI event params too long (%ib)", __func__, len);
461 exit(-1);
462 }
463
464 mask_byte = (evt - 1) >> 3;
465 mask = 1 << ((evt - 1) & 3);
466 if (mask & bt_event_reserved_mask[mask_byte] & ~hci->event_mask[mask_byte])
467 return NULL;
468
469 packet = hci->evt_packet(hci->opaque);
470 packet[0] = evt;
471 packet[1] = len;
472
473 return &packet[2];
474}
475
476static inline void bt_hci_event(struct bt_hci_s *hci, int evt,
477 void *params, int len)
478{
479 uint8_t *packet = bt_hci_event_start(hci, evt, len);
480
481 if (!packet)
482 return;
483
484 if (len)
485 memcpy(packet, params, len);
486
487 hci->evt_submit(hci->opaque, len + 2);
488}
489
490static inline void bt_hci_event_status(struct bt_hci_s *hci, int status)
491{
492 evt_cmd_status params = {
493 .status = status,
494 .ncmd = 1,
495 .opcode = hci->last_cmd,
496 };
497
498 bt_hci_event(hci, EVT_CMD_STATUS, ¶ms, EVT_CMD_STATUS_SIZE);
499}
500
501static inline void bt_hci_event_complete(struct bt_hci_s *hci,
502 void *ret, int len)
503{
504 uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE,
505 len + EVT_CMD_COMPLETE_SIZE);
506 evt_cmd_complete *params = (evt_cmd_complete *) packet;
507
508 if (!packet)
509 return;
510
511 params->ncmd = 1;
512 params->opcode = hci->last_cmd;
513 if (len)
514 memcpy(&packet[EVT_CMD_COMPLETE_SIZE], ret, len);
515
516 hci->evt_submit(hci->opaque, len + EVT_CMD_COMPLETE_SIZE + 2);
517}
518
519static void bt_hci_inquiry_done(void *opaque)
520{
521 struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
522 uint8_t status = HCI_SUCCESS;
523
524 if (!hci->lm.periodic)
525 hci->lm.inquire = 0;
526
527
528
529
530
531
532 bt_hci_event(hci, EVT_INQUIRY_COMPLETE, &status, 1);
533}
534
535static void bt_hci_inquiry_result_standard(struct bt_hci_s *hci,
536 struct bt_device_s *slave)
537{
538 inquiry_info params = {
539 .num_responses = 1,
540 .bdaddr = BAINIT(&slave->bd_addr),
541 .pscan_rep_mode = 0x00,
542 .pscan_period_mode = 0x00,
543 .pscan_mode = 0x00,
544 .dev_class[0] = slave->class[0],
545 .dev_class[1] = slave->class[1],
546 .dev_class[2] = slave->class[2],
547
548 .clock_offset = slave->clkoff,
549 };
550
551 bt_hci_event(hci, EVT_INQUIRY_RESULT, ¶ms, INQUIRY_INFO_SIZE);
552}
553
554static void bt_hci_inquiry_result_with_rssi(struct bt_hci_s *hci,
555 struct bt_device_s *slave)
556{
557 inquiry_info_with_rssi params = {
558 .num_responses = 1,
559 .bdaddr = BAINIT(&slave->bd_addr),
560 .pscan_rep_mode = 0x00,
561 .pscan_period_mode = 0x00,
562 .dev_class[0] = slave->class[0],
563 .dev_class[1] = slave->class[1],
564 .dev_class[2] = slave->class[2],
565
566 .clock_offset = slave->clkoff,
567 .rssi = DEFAULT_RSSI_DBM,
568 };
569
570 bt_hci_event(hci, EVT_INQUIRY_RESULT_WITH_RSSI,
571 ¶ms, INQUIRY_INFO_WITH_RSSI_SIZE);
572}
573
574static void bt_hci_inquiry_result(struct bt_hci_s *hci,
575 struct bt_device_s *slave)
576{
577 if (!slave->inquiry_scan || !hci->lm.responses_left)
578 return;
579
580 hci->lm.responses_left --;
581 hci->lm.responses ++;
582
583 switch (hci->lm.inquiry_mode) {
584 case 0x00:
585 bt_hci_inquiry_result_standard(hci, slave);
586 return;
587 case 0x01:
588 bt_hci_inquiry_result_with_rssi(hci, slave);
589 return;
590 default:
591 error_report("%s: bad inquiry mode %02x", __func__,
592 hci->lm.inquiry_mode);
593 exit(-1);
594 }
595}
596
597static void bt_hci_mod_timer_1280ms(QEMUTimer *timer, int period)
598{
599 timer_mod(timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
600 (uint64_t)(period << 7) * 10000000);
601}
602
603static void bt_hci_inquiry_start(struct bt_hci_s *hci, int length)
604{
605 struct bt_device_s *slave;
606
607 hci->lm.inquiry_length = length;
608 for (slave = hci->device.net->slave; slave; slave = slave->next)
609
610 if (slave != &hci->device)
611 bt_hci_inquiry_result(hci, slave);
612
613
614
615
616
617
618 if (hci->lm.responses_left)
619 bt_hci_mod_timer_1280ms(hci->lm.inquiry_done, hci->lm.inquiry_length);
620 else
621 bt_hci_inquiry_done(hci);
622
623 if (hci->lm.periodic)
624 bt_hci_mod_timer_1280ms(hci->lm.inquiry_next, hci->lm.inquiry_period);
625}
626
627static void bt_hci_inquiry_next(void *opaque)
628{
629 struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
630
631 hci->lm.responses_left += hci->lm.responses;
632 hci->lm.responses = 0;
633 bt_hci_inquiry_start(hci, hci->lm.inquiry_length);
634}
635
636static inline int bt_hci_handle_bad(struct bt_hci_s *hci, uint16_t handle)
637{
638 return !(handle & HCI_HANDLE_OFFSET) ||
639 handle >= (HCI_HANDLE_OFFSET | HCI_HANDLES_MAX) ||
640 !hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;
641}
642
643static inline int bt_hci_role_master(struct bt_hci_s *hci, uint16_t handle)
644{
645 return !!(hci->lm.role_bmp & (1 << (handle & ~HCI_HANDLE_OFFSET)));
646}
647
648static inline struct bt_device_s *bt_hci_remote_dev(struct bt_hci_s *hci,
649 uint16_t handle)
650{
651 struct bt_link_s *link = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;
652
653 return bt_hci_role_master(hci, handle) ? link->slave : link->host;
654}
655
656static void bt_hci_mode_tick(void *opaque);
657static void bt_hci_lmp_link_establish(struct bt_hci_s *hci,
658 struct bt_link_s *link, int master)
659{
660 hci->lm.handle[hci->lm.last_handle].link = link;
661
662 if (master) {
663
664 hci->lm.role_bmp |= 1 << hci->lm.last_handle;
665
666 hci->lm.handle[hci->lm.last_handle].lmp_acl_data =
667 link->slave->lmp_acl_data;
668 } else {
669
670 hci->lm.role_bmp &= ~(1 << hci->lm.last_handle);
671
672 hci->lm.handle[hci->lm.last_handle].lmp_acl_data =
673 link->host->lmp_acl_resp;
674 }
675
676
677 if (master) {
678 link->acl_mode = acl_active;
679 hci->lm.handle[hci->lm.last_handle].acl_mode_timer =
680 timer_new_ns(QEMU_CLOCK_VIRTUAL, bt_hci_mode_tick, link);
681 }
682}
683
684static void bt_hci_lmp_link_teardown(struct bt_hci_s *hci, uint16_t handle)
685{
686 handle &= ~HCI_HANDLE_OFFSET;
687 hci->lm.handle[handle].link = NULL;
688
689 if (bt_hci_role_master(hci, handle)) {
690 timer_del(hci->lm.handle[handle].acl_mode_timer);
691 timer_free(hci->lm.handle[handle].acl_mode_timer);
692 }
693}
694
695static int bt_hci_connect(struct bt_hci_s *hci, bdaddr_t *bdaddr)
696{
697 struct bt_device_s *slave;
698 struct bt_link_s link;
699
700 for (slave = hci->device.net->slave; slave; slave = slave->next)
701 if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr))
702 break;
703 if (!slave || slave == &hci->device)
704 return -ENODEV;
705
706 bacpy(&hci->lm.awaiting_bdaddr[hci->lm.connecting ++], &slave->bd_addr);
707
708 link.slave = slave;
709 link.host = &hci->device;
710 link.slave->lmp_connection_request(&link);
711
712 return 0;
713}
714
715static void bt_hci_connection_reject(struct bt_hci_s *hci,
716 struct bt_device_s *host, uint8_t because)
717{
718 struct bt_link_s link = {
719 .slave = &hci->device,
720 .host = host,
721
722 };
723
724 host->reject_reason = because;
725 host->lmp_connection_complete(&link);
726}
727
728static void bt_hci_connection_reject_event(struct bt_hci_s *hci,
729 bdaddr_t *bdaddr)
730{
731 evt_conn_complete params;
732
733 params.status = HCI_NO_CONNECTION;
734 params.handle = 0;
735 bacpy(¶ms.bdaddr, bdaddr);
736 params.link_type = ACL_LINK;
737 params.encr_mode = 0x00;
738 bt_hci_event(hci, EVT_CONN_COMPLETE, ¶ms, EVT_CONN_COMPLETE_SIZE);
739}
740
741static void bt_hci_connection_accept(struct bt_hci_s *hci,
742 struct bt_device_s *host)
743{
744 struct bt_hci_link_s *link = g_malloc0(sizeof(struct bt_hci_link_s));
745 evt_conn_complete params;
746 uint16_t handle;
747 uint8_t status = HCI_SUCCESS;
748 int tries = HCI_HANDLES_MAX;
749
750
751 do {
752 while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries)
753 hci->lm.last_handle &= HCI_HANDLES_MAX - 1;
754 handle = hci->lm.last_handle | HCI_HANDLE_OFFSET;
755 } while ((handle == hci->asb_handle || handle == hci->psb_handle) &&
756 tries);
757
758 if (!tries) {
759 g_free(link);
760 bt_hci_connection_reject(hci, host, HCI_REJECTED_LIMITED_RESOURCES);
761 status = HCI_NO_CONNECTION;
762 goto complete;
763 }
764
765 link->btlink.slave = &hci->device;
766 link->btlink.host = host;
767 link->handle = handle;
768
769
770 bt_hci_lmp_link_establish(hci, &link->btlink, 0);
771
772complete:
773 params.status = status;
774 params.handle = HNDL(handle);
775 bacpy(¶ms.bdaddr, &host->bd_addr);
776 params.link_type = ACL_LINK;
777 params.encr_mode = 0x00;
778 bt_hci_event(hci, EVT_CONN_COMPLETE, ¶ms, EVT_CONN_COMPLETE_SIZE);
779
780
781
782
783 if (status == HCI_SUCCESS) {
784 host->reject_reason = 0;
785 host->lmp_connection_complete(&link->btlink);
786 }
787}
788
789static void bt_hci_lmp_connection_request(struct bt_link_s *link)
790{
791 struct bt_hci_s *hci = hci_from_device(link->slave);
792 evt_conn_request params;
793
794 if (hci->conn_req_host) {
795 bt_hci_connection_reject(hci, link->host,
796 HCI_REJECTED_LIMITED_RESOURCES);
797 return;
798 }
799 hci->conn_req_host = link->host;
800
801
802
803
804
805 bacpy(¶ms.bdaddr, &link->host->bd_addr);
806 memcpy(¶ms.dev_class, &link->host->class, sizeof(params.dev_class));
807 params.link_type = ACL_LINK;
808 bt_hci_event(hci, EVT_CONN_REQUEST, ¶ms, EVT_CONN_REQUEST_SIZE);
809}
810
811static void bt_hci_conn_accept_timeout(void *opaque)
812{
813 struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
814
815 if (!hci->conn_req_host)
816
817
818
819 return;
820
821
822}
823
824
825
826
827
828
829static int bt_hci_lmp_connection_ready(struct bt_hci_s *hci,
830 bdaddr_t *bdaddr)
831{
832 int i;
833
834 for (i = 0; i < hci->lm.connecting; i ++)
835 if (!bacmp(&hci->lm.awaiting_bdaddr[i], bdaddr)) {
836 if (i < -- hci->lm.connecting)
837 bacpy(&hci->lm.awaiting_bdaddr[i],
838 &hci->lm.awaiting_bdaddr[hci->lm.connecting]);
839 return 0;
840 }
841
842 return 1;
843}
844
845static void bt_hci_lmp_connection_complete(struct bt_link_s *link)
846{
847 struct bt_hci_s *hci = hci_from_device(link->host);
848 evt_conn_complete params;
849 uint16_t handle;
850 uint8_t status = HCI_SUCCESS;
851 int tries = HCI_HANDLES_MAX;
852
853 if (bt_hci_lmp_connection_ready(hci, &link->slave->bd_addr)) {
854 if (!hci->device.reject_reason)
855 link->slave->lmp_disconnect_slave(link);
856 handle = 0;
857 status = HCI_NO_CONNECTION;
858 goto complete;
859 }
860
861 if (hci->device.reject_reason) {
862 handle = 0;
863 status = hci->device.reject_reason;
864 goto complete;
865 }
866
867
868 do {
869 while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries)
870 hci->lm.last_handle &= HCI_HANDLES_MAX - 1;
871 handle = hci->lm.last_handle | HCI_HANDLE_OFFSET;
872 } while ((handle == hci->asb_handle || handle == hci->psb_handle) &&
873 tries);
874
875 if (!tries) {
876 link->slave->lmp_disconnect_slave(link);
877 status = HCI_NO_CONNECTION;
878 goto complete;
879 }
880
881
882 link->handle = handle;
883 bt_hci_lmp_link_establish(hci, link, 1);
884
885complete:
886 params.status = status;
887 params.handle = HNDL(handle);
888 params.link_type = ACL_LINK;
889 bacpy(¶ms.bdaddr, &link->slave->bd_addr);
890 params.encr_mode = 0x00;
891 bt_hci_event(hci, EVT_CONN_COMPLETE, ¶ms, EVT_CONN_COMPLETE_SIZE);
892}
893
894static void bt_hci_disconnect(struct bt_hci_s *hci,
895 uint16_t handle, int reason)
896{
897 struct bt_link_s *btlink =
898 hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;
899 struct bt_hci_link_s *link;
900 evt_disconn_complete params;
901
902 if (bt_hci_role_master(hci, handle)) {
903 btlink->slave->reject_reason = reason;
904 btlink->slave->lmp_disconnect_slave(btlink);
905
906
907 goto complete;
908 }
909
910 btlink->host->reject_reason = reason;
911 btlink->host->lmp_disconnect_master(btlink);
912
913
914 link = (struct bt_hci_link_s *) btlink;
915 g_free(link);
916
917complete:
918 bt_hci_lmp_link_teardown(hci, handle);
919
920 params.status = HCI_SUCCESS;
921 params.handle = HNDL(handle);
922 params.reason = HCI_CONNECTION_TERMINATED;
923 bt_hci_event(hci, EVT_DISCONN_COMPLETE,
924 ¶ms, EVT_DISCONN_COMPLETE_SIZE);
925}
926
927
928static void bt_hci_lmp_disconnect_host(struct bt_link_s *link)
929{
930 struct bt_hci_s *hci = hci_from_device(link->host);
931 uint16_t handle = link->handle;
932 evt_disconn_complete params;
933
934 bt_hci_lmp_link_teardown(hci, handle);
935
936 params.status = HCI_SUCCESS;
937 params.handle = HNDL(handle);
938 params.reason = hci->device.reject_reason;
939 bt_hci_event(hci, EVT_DISCONN_COMPLETE,
940 ¶ms, EVT_DISCONN_COMPLETE_SIZE);
941}
942
943static void bt_hci_lmp_disconnect_slave(struct bt_link_s *btlink)
944{
945 struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
946 struct bt_hci_s *hci = hci_from_device(btlink->slave);
947 uint16_t handle = link->handle;
948 evt_disconn_complete params;
949
950 g_free(link);
951
952 bt_hci_lmp_link_teardown(hci, handle);
953
954 params.status = HCI_SUCCESS;
955 params.handle = HNDL(handle);
956 params.reason = hci->device.reject_reason;
957 bt_hci_event(hci, EVT_DISCONN_COMPLETE,
958 ¶ms, EVT_DISCONN_COMPLETE_SIZE);
959}
960
961static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t *bdaddr)
962{
963 struct bt_device_s *slave;
964 evt_remote_name_req_complete params;
965
966 for (slave = hci->device.net->slave; slave; slave = slave->next)
967 if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr))
968 break;
969 if (!slave)
970 return -ENODEV;
971
972 bt_hci_event_status(hci, HCI_SUCCESS);
973
974 params.status = HCI_SUCCESS;
975 bacpy(¶ms.bdaddr, &slave->bd_addr);
976 pstrcpy(params.name, sizeof(params.name), slave->lmp_name ?: "");
977 bt_hci_event(hci, EVT_REMOTE_NAME_REQ_COMPLETE,
978 ¶ms, EVT_REMOTE_NAME_REQ_COMPLETE_SIZE);
979
980 return 0;
981}
982
983static int bt_hci_features_req(struct bt_hci_s *hci, uint16_t handle)
984{
985 struct bt_device_s *slave;
986 evt_read_remote_features_complete params;
987
988 if (bt_hci_handle_bad(hci, handle))
989 return -ENODEV;
990
991 slave = bt_hci_remote_dev(hci, handle);
992
993 bt_hci_event_status(hci, HCI_SUCCESS);
994
995 params.status = HCI_SUCCESS;
996 params.handle = HNDL(handle);
997 params.features[0] = (slave->lmp_caps >> 0) & 0xff;
998 params.features[1] = (slave->lmp_caps >> 8) & 0xff;
999 params.features[2] = (slave->lmp_caps >> 16) & 0xff;
1000 params.features[3] = (slave->lmp_caps >> 24) & 0xff;
1001 params.features[4] = (slave->lmp_caps >> 32) & 0xff;
1002 params.features[5] = (slave->lmp_caps >> 40) & 0xff;
1003 params.features[6] = (slave->lmp_caps >> 48) & 0xff;
1004 params.features[7] = (slave->lmp_caps >> 56) & 0xff;
1005 bt_hci_event(hci, EVT_READ_REMOTE_FEATURES_COMPLETE,
1006 ¶ms, EVT_READ_REMOTE_FEATURES_COMPLETE_SIZE);
1007
1008 return 0;
1009}
1010
1011static int bt_hci_version_req(struct bt_hci_s *hci, uint16_t handle)
1012{
1013 evt_read_remote_version_complete params;
1014
1015 if (bt_hci_handle_bad(hci, handle))
1016 return -ENODEV;
1017
1018 bt_hci_remote_dev(hci, handle);
1019
1020 bt_hci_event_status(hci, HCI_SUCCESS);
1021
1022 params.status = HCI_SUCCESS;
1023 params.handle = HNDL(handle);
1024 params.lmp_ver = 0x03;
1025 params.manufacturer = cpu_to_le16(0xa000);
1026 params.lmp_subver = cpu_to_le16(0xa607);
1027 bt_hci_event(hci, EVT_READ_REMOTE_VERSION_COMPLETE,
1028 ¶ms, EVT_READ_REMOTE_VERSION_COMPLETE_SIZE);
1029
1030 return 0;
1031}
1032
1033static int bt_hci_clkoffset_req(struct bt_hci_s *hci, uint16_t handle)
1034{
1035 struct bt_device_s *slave;
1036 evt_read_clock_offset_complete params;
1037
1038 if (bt_hci_handle_bad(hci, handle))
1039 return -ENODEV;
1040
1041 slave = bt_hci_remote_dev(hci, handle);
1042
1043 bt_hci_event_status(hci, HCI_SUCCESS);
1044
1045 params.status = HCI_SUCCESS;
1046 params.handle = HNDL(handle);
1047
1048 params.clock_offset = slave->clkoff;
1049 bt_hci_event(hci, EVT_READ_CLOCK_OFFSET_COMPLETE,
1050 ¶ms, EVT_READ_CLOCK_OFFSET_COMPLETE_SIZE);
1051
1052 return 0;
1053}
1054
1055static void bt_hci_event_mode(struct bt_hci_s *hci, struct bt_link_s *link,
1056 uint16_t handle)
1057{
1058 evt_mode_change params = {
1059 .status = HCI_SUCCESS,
1060 .handle = HNDL(handle),
1061 .mode = link->acl_mode,
1062 .interval = cpu_to_le16(link->acl_interval),
1063 };
1064
1065 bt_hci_event(hci, EVT_MODE_CHANGE, ¶ms, EVT_MODE_CHANGE_SIZE);
1066}
1067
1068static void bt_hci_lmp_mode_change_master(struct bt_hci_s *hci,
1069 struct bt_link_s *link, int mode, uint16_t interval)
1070{
1071 link->acl_mode = mode;
1072 link->acl_interval = interval;
1073
1074 bt_hci_event_mode(hci, link, link->handle);
1075
1076 link->slave->lmp_mode_change(link);
1077}
1078
1079static void bt_hci_lmp_mode_change_slave(struct bt_link_s *btlink)
1080{
1081 struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
1082 struct bt_hci_s *hci = hci_from_device(btlink->slave);
1083
1084 bt_hci_event_mode(hci, btlink, link->handle);
1085}
1086
1087static int bt_hci_mode_change(struct bt_hci_s *hci, uint16_t handle,
1088 int interval, int mode)
1089{
1090 struct bt_hci_master_link_s *link;
1091
1092 if (bt_hci_handle_bad(hci, handle) || !bt_hci_role_master(hci, handle))
1093 return -ENODEV;
1094
1095 link = &hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
1096 if (link->link->acl_mode != acl_active) {
1097 bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED);
1098 return 0;
1099 }
1100
1101 bt_hci_event_status(hci, HCI_SUCCESS);
1102
1103 timer_mod(link->acl_mode_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
1104 ((uint64_t)interval * 625) * 1000);
1105 bt_hci_lmp_mode_change_master(hci, link->link, mode, interval);
1106
1107 return 0;
1108}
1109
1110static int bt_hci_mode_cancel(struct bt_hci_s *hci, uint16_t handle, int mode)
1111{
1112 struct bt_hci_master_link_s *link;
1113
1114 if (bt_hci_handle_bad(hci, handle) || !bt_hci_role_master(hci, handle))
1115 return -ENODEV;
1116
1117 link = &hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
1118 if (link->link->acl_mode != mode) {
1119 bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED);
1120
1121 return 0;
1122 }
1123
1124 bt_hci_event_status(hci, HCI_SUCCESS);
1125
1126 timer_del(link->acl_mode_timer);
1127 bt_hci_lmp_mode_change_master(hci, link->link, acl_active, 0);
1128
1129 return 0;
1130}
1131
1132static void bt_hci_mode_tick(void *opaque)
1133{
1134 struct bt_link_s *link = opaque;
1135 struct bt_hci_s *hci = hci_from_device(link->host);
1136
1137 bt_hci_lmp_mode_change_master(hci, link, acl_active, 0);
1138}
1139
1140static void bt_hci_reset(struct bt_hci_s *hci)
1141{
1142 hci->acl_len = 0;
1143 hci->last_cmd = 0;
1144 hci->lm.connecting = 0;
1145
1146 hci->event_mask[0] = 0xff;
1147 hci->event_mask[1] = 0xff;
1148 hci->event_mask[2] = 0xff;
1149 hci->event_mask[3] = 0xff;
1150 hci->event_mask[4] = 0xff;
1151 hci->event_mask[5] = 0x1f;
1152 hci->event_mask[6] = 0x00;
1153 hci->event_mask[7] = 0x00;
1154 hci->device.inquiry_scan = 0;
1155 hci->device.page_scan = 0;
1156 g_free((void *) hci->device.lmp_name);
1157 hci->device.lmp_name = NULL;
1158 hci->device.class[0] = 0x00;
1159 hci->device.class[1] = 0x00;
1160 hci->device.class[2] = 0x00;
1161 hci->voice_setting = 0x0000;
1162 hci->conn_accept_tout = 0x1f40;
1163 hci->lm.inquiry_mode = 0x00;
1164
1165 hci->psb_handle = 0x000;
1166 hci->asb_handle = 0x000;
1167
1168
1169 timer_del(hci->lm.inquiry_done);
1170 timer_del(hci->lm.inquiry_next);
1171 timer_del(hci->conn_accept_timer);
1172}
1173
1174static void bt_hci_read_local_version_rp(struct bt_hci_s *hci)
1175{
1176 read_local_version_rp lv = {
1177 .status = HCI_SUCCESS,
1178 .hci_ver = 0x03,
1179 .hci_rev = cpu_to_le16(0xa607),
1180 .lmp_ver = 0x03,
1181 .manufacturer = cpu_to_le16(0xa000),
1182 .lmp_subver = cpu_to_le16(0xa607),
1183 };
1184
1185 bt_hci_event_complete(hci, &lv, READ_LOCAL_VERSION_RP_SIZE);
1186}
1187
1188static void bt_hci_read_local_commands_rp(struct bt_hci_s *hci)
1189{
1190 read_local_commands_rp lc = {
1191 .status = HCI_SUCCESS,
1192 .commands = {
1193
1194
1195 0xbf, 0x80, 0xf9, 0x03, 0xb2, 0xc0, 0x03, 0xc3,
1196 0x00, 0x0f, 0x80, 0x00, 0xc0, 0x00, 0xe8, 0x13,
1197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1201 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1202 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1203 },
1204 };
1205
1206 bt_hci_event_complete(hci, &lc, READ_LOCAL_COMMANDS_RP_SIZE);
1207}
1208
1209static void bt_hci_read_local_features_rp(struct bt_hci_s *hci)
1210{
1211 read_local_features_rp lf = {
1212 .status = HCI_SUCCESS,
1213 .features = {
1214 (hci->device.lmp_caps >> 0) & 0xff,
1215 (hci->device.lmp_caps >> 8) & 0xff,
1216 (hci->device.lmp_caps >> 16) & 0xff,
1217 (hci->device.lmp_caps >> 24) & 0xff,
1218 (hci->device.lmp_caps >> 32) & 0xff,
1219 (hci->device.lmp_caps >> 40) & 0xff,
1220 (hci->device.lmp_caps >> 48) & 0xff,
1221 (hci->device.lmp_caps >> 56) & 0xff,
1222 },
1223 };
1224
1225 bt_hci_event_complete(hci, &lf, READ_LOCAL_FEATURES_RP_SIZE);
1226}
1227
1228static void bt_hci_read_local_ext_features_rp(struct bt_hci_s *hci, int page)
1229{
1230 read_local_ext_features_rp lef = {
1231 .status = HCI_SUCCESS,
1232 .page_num = page,
1233 .max_page_num = 0x00,
1234 .features = {
1235
1236 0x5f, 0x35, 0x85, 0x7e, 0x9b, 0x19, 0x00, 0x80,
1237 },
1238 };
1239 if (page)
1240 memset(lef.features, 0, sizeof(lef.features));
1241
1242 bt_hci_event_complete(hci, &lef, READ_LOCAL_EXT_FEATURES_RP_SIZE);
1243}
1244
1245static void bt_hci_read_buffer_size_rp(struct bt_hci_s *hci)
1246{
1247 read_buffer_size_rp bs = {
1248
1249
1250
1251 .status = HCI_SUCCESS,
1252 .acl_mtu = cpu_to_le16(0x0200),
1253 .sco_mtu = 0,
1254 .acl_max_pkt = cpu_to_le16(0x0001),
1255 .sco_max_pkt = cpu_to_le16(0x0000),
1256 };
1257
1258 bt_hci_event_complete(hci, &bs, READ_BUFFER_SIZE_RP_SIZE);
1259}
1260
1261
1262static void bt_hci_read_country_code_rp(struct bt_hci_s *hci)
1263{
1264 read_country_code_rp cc ={
1265 .status = HCI_SUCCESS,
1266 .country_code = 0x00,
1267 };
1268
1269 bt_hci_event_complete(hci, &cc, READ_COUNTRY_CODE_RP_SIZE);
1270
1271
1272}
1273
1274static void bt_hci_read_bd_addr_rp(struct bt_hci_s *hci)
1275{
1276 read_bd_addr_rp ba = {
1277 .status = HCI_SUCCESS,
1278 .bdaddr = BAINIT(&hci->device.bd_addr),
1279 };
1280
1281 bt_hci_event_complete(hci, &ba, READ_BD_ADDR_RP_SIZE);
1282}
1283
1284static int bt_hci_link_quality_rp(struct bt_hci_s *hci, uint16_t handle)
1285{
1286 read_link_quality_rp lq = {
1287 .status = HCI_SUCCESS,
1288 .handle = HNDL(handle),
1289 .link_quality = 0xff,
1290 };
1291
1292 if (bt_hci_handle_bad(hci, handle))
1293 lq.status = HCI_NO_CONNECTION;
1294
1295 bt_hci_event_complete(hci, &lq, READ_LINK_QUALITY_RP_SIZE);
1296 return 0;
1297}
1298
1299
1300static inline void bt_hci_event_complete_status(struct bt_hci_s *hci,
1301 uint8_t status)
1302{
1303 bt_hci_event_complete(hci, &status, 1);
1304}
1305
1306static inline void bt_hci_event_complete_conn_cancel(struct bt_hci_s *hci,
1307 uint8_t status, bdaddr_t *bd_addr)
1308{
1309 create_conn_cancel_rp params = {
1310 .status = status,
1311 .bdaddr = BAINIT(bd_addr),
1312 };
1313
1314 bt_hci_event_complete(hci, ¶ms, CREATE_CONN_CANCEL_RP_SIZE);
1315}
1316
1317static inline void bt_hci_event_auth_complete(struct bt_hci_s *hci,
1318 uint16_t handle)
1319{
1320 evt_auth_complete params = {
1321 .status = HCI_SUCCESS,
1322 .handle = HNDL(handle),
1323 };
1324
1325 bt_hci_event(hci, EVT_AUTH_COMPLETE, ¶ms, EVT_AUTH_COMPLETE_SIZE);
1326}
1327
1328static inline void bt_hci_event_encrypt_change(struct bt_hci_s *hci,
1329 uint16_t handle, uint8_t mode)
1330{
1331 evt_encrypt_change params = {
1332 .status = HCI_SUCCESS,
1333 .handle = HNDL(handle),
1334 .encrypt = mode,
1335 };
1336
1337 bt_hci_event(hci, EVT_ENCRYPT_CHANGE, ¶ms, EVT_ENCRYPT_CHANGE_SIZE);
1338}
1339
1340static inline void bt_hci_event_complete_name_cancel(struct bt_hci_s *hci,
1341 bdaddr_t *bd_addr)
1342{
1343 remote_name_req_cancel_rp params = {
1344 .status = HCI_INVALID_PARAMETERS,
1345 .bdaddr = BAINIT(bd_addr),
1346 };
1347
1348 bt_hci_event_complete(hci, ¶ms, REMOTE_NAME_REQ_CANCEL_RP_SIZE);
1349}
1350
1351static inline void bt_hci_event_read_remote_ext_features(struct bt_hci_s *hci,
1352 uint16_t handle)
1353{
1354 evt_read_remote_ext_features_complete params = {
1355 .status = HCI_UNSUPPORTED_FEATURE,
1356 .handle = HNDL(handle),
1357
1358 };
1359
1360 bt_hci_event(hci, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE,
1361 ¶ms, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE_SIZE);
1362}
1363
1364static inline void bt_hci_event_complete_lmp_handle(struct bt_hci_s *hci,
1365 uint16_t handle)
1366{
1367 read_lmp_handle_rp params = {
1368 .status = HCI_NO_CONNECTION,
1369 .handle = HNDL(handle),
1370 .reserved = 0,
1371
1372 };
1373
1374 bt_hci_event_complete(hci, ¶ms, READ_LMP_HANDLE_RP_SIZE);
1375}
1376
1377static inline void bt_hci_event_complete_role_discovery(struct bt_hci_s *hci,
1378 int status, uint16_t handle, int master)
1379{
1380 role_discovery_rp params = {
1381 .status = status,
1382 .handle = HNDL(handle),
1383 .role = master ? 0x00 : 0x01,
1384 };
1385
1386 bt_hci_event_complete(hci, ¶ms, ROLE_DISCOVERY_RP_SIZE);
1387}
1388
1389static inline void bt_hci_event_complete_flush(struct bt_hci_s *hci,
1390 int status, uint16_t handle)
1391{
1392 flush_rp params = {
1393 .status = status,
1394 .handle = HNDL(handle),
1395 };
1396
1397 bt_hci_event_complete(hci, ¶ms, FLUSH_RP_SIZE);
1398}
1399
1400static inline void bt_hci_event_complete_read_local_name(struct bt_hci_s *hci)
1401{
1402 read_local_name_rp params;
1403 params.status = HCI_SUCCESS;
1404 memset(params.name, 0, sizeof(params.name));
1405 if (hci->device.lmp_name)
1406 pstrcpy(params.name, sizeof(params.name), hci->device.lmp_name);
1407
1408 bt_hci_event_complete(hci, ¶ms, READ_LOCAL_NAME_RP_SIZE);
1409}
1410
1411static inline void bt_hci_event_complete_read_conn_accept_timeout(
1412 struct bt_hci_s *hci)
1413{
1414 read_conn_accept_timeout_rp params = {
1415 .status = HCI_SUCCESS,
1416 .timeout = cpu_to_le16(hci->conn_accept_tout),
1417 };
1418
1419 bt_hci_event_complete(hci, ¶ms, READ_CONN_ACCEPT_TIMEOUT_RP_SIZE);
1420}
1421
1422static inline void bt_hci_event_complete_read_scan_enable(struct bt_hci_s *hci)
1423{
1424 read_scan_enable_rp params = {
1425 .status = HCI_SUCCESS,
1426 .enable =
1427 (hci->device.inquiry_scan ? SCAN_INQUIRY : 0) |
1428 (hci->device.page_scan ? SCAN_PAGE : 0),
1429 };
1430
1431 bt_hci_event_complete(hci, ¶ms, READ_SCAN_ENABLE_RP_SIZE);
1432}
1433
1434static inline void bt_hci_event_complete_read_local_class(struct bt_hci_s *hci)
1435{
1436 read_class_of_dev_rp params;
1437
1438 params.status = HCI_SUCCESS;
1439 memcpy(params.dev_class, hci->device.class, sizeof(params.dev_class));
1440
1441 bt_hci_event_complete(hci, ¶ms, READ_CLASS_OF_DEV_RP_SIZE);
1442}
1443
1444static inline void bt_hci_event_complete_voice_setting(struct bt_hci_s *hci)
1445{
1446 read_voice_setting_rp params = {
1447 .status = HCI_SUCCESS,
1448 .voice_setting = hci->voice_setting,
1449 };
1450
1451 bt_hci_event_complete(hci, ¶ms, READ_VOICE_SETTING_RP_SIZE);
1452}
1453
1454static inline void bt_hci_event_complete_read_inquiry_mode(
1455 struct bt_hci_s *hci)
1456{
1457 read_inquiry_mode_rp params = {
1458 .status = HCI_SUCCESS,
1459 .mode = hci->lm.inquiry_mode,
1460 };
1461
1462 bt_hci_event_complete(hci, ¶ms, READ_INQUIRY_MODE_RP_SIZE);
1463}
1464
1465static inline void bt_hci_event_num_comp_pkts(struct bt_hci_s *hci,
1466 uint16_t handle, int packets)
1467{
1468 uint16_t buf[EVT_NUM_COMP_PKTS_SIZE(1) / 2 + 1];
1469 evt_num_comp_pkts *params = (void *) ((uint8_t *) buf + 1);
1470
1471 params->num_hndl = 1;
1472 params->connection->handle = HNDL(handle);
1473 params->connection->num_packets = cpu_to_le16(packets);
1474
1475 bt_hci_event(hci, EVT_NUM_COMP_PKTS, params, EVT_NUM_COMP_PKTS_SIZE(1));
1476}
1477
1478static void bt_submit_hci(struct HCIInfo *info,
1479 const uint8_t *data, int length)
1480{
1481 struct bt_hci_s *hci = hci_from_info(info);
1482 uint16_t cmd;
1483 int paramlen, i;
1484
1485 if (length < HCI_COMMAND_HDR_SIZE)
1486 goto short_hci;
1487
1488 memcpy(&hci->last_cmd, data, 2);
1489
1490 cmd = (data[1] << 8) | data[0];
1491 paramlen = data[2];
1492 if (cmd_opcode_ogf(cmd) == 0 || cmd_opcode_ocf(cmd) == 0)
1493 return;
1494
1495 data += HCI_COMMAND_HDR_SIZE;
1496 length -= HCI_COMMAND_HDR_SIZE;
1497
1498 if (paramlen > length)
1499 return;
1500
1501#define PARAM(cmd, param) (((cmd##_cp *) data)->param)
1502#define PARAM16(cmd, param) lduw_le_p(&PARAM(cmd, param))
1503#define PARAMHANDLE(cmd) PARAM16(cmd, handle)
1504#define LENGTH_CHECK(cmd) if (length < sizeof(cmd##_cp)) goto short_hci
1505
1506
1507 switch (cmd) {
1508 case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY):
1509 LENGTH_CHECK(inquiry);
1510
1511 if (PARAM(inquiry, length) < 1) {
1512 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1513 break;
1514 }
1515
1516 hci->lm.inquire = 1;
1517 hci->lm.periodic = 0;
1518 hci->lm.responses_left = PARAM(inquiry, num_rsp) ?: INT_MAX;
1519 hci->lm.responses = 0;
1520 bt_hci_event_status(hci, HCI_SUCCESS);
1521 bt_hci_inquiry_start(hci, PARAM(inquiry, length));
1522 break;
1523
1524 case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY_CANCEL):
1525 if (!hci->lm.inquire || hci->lm.periodic) {
1526 fprintf(stderr, "%s: Inquiry Cancel should only be issued after "
1527 "the Inquiry command has been issued, a Command "
1528 "Status event has been received for the Inquiry "
1529 "command, and before the Inquiry Complete event "
1530 "occurs", __func__);
1531 bt_hci_event_complete_status(hci, HCI_COMMAND_DISALLOWED);
1532 break;
1533 }
1534
1535 hci->lm.inquire = 0;
1536 timer_del(hci->lm.inquiry_done);
1537 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1538 break;
1539
1540 case cmd_opcode_pack(OGF_LINK_CTL, OCF_PERIODIC_INQUIRY):
1541 LENGTH_CHECK(periodic_inquiry);
1542
1543 if (!(PARAM(periodic_inquiry, length) <
1544 PARAM16(periodic_inquiry, min_period) &&
1545 PARAM16(periodic_inquiry, min_period) <
1546 PARAM16(periodic_inquiry, max_period)) ||
1547 PARAM(periodic_inquiry, length) < 1 ||
1548 PARAM16(periodic_inquiry, min_period) < 2 ||
1549 PARAM16(periodic_inquiry, max_period) < 3) {
1550 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1551 break;
1552 }
1553
1554 hci->lm.inquire = 1;
1555 hci->lm.periodic = 1;
1556 hci->lm.responses_left = PARAM(periodic_inquiry, num_rsp);
1557 hci->lm.responses = 0;
1558 hci->lm.inquiry_period = PARAM16(periodic_inquiry, max_period);
1559 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1560 bt_hci_inquiry_start(hci, PARAM(periodic_inquiry, length));
1561 break;
1562
1563 case cmd_opcode_pack(OGF_LINK_CTL, OCF_EXIT_PERIODIC_INQUIRY):
1564 if (!hci->lm.inquire || !hci->lm.periodic) {
1565 fprintf(stderr, "%s: Inquiry Cancel should only be issued after "
1566 "the Inquiry command has been issued, a Command "
1567 "Status event has been received for the Inquiry "
1568 "command, and before the Inquiry Complete event "
1569 "occurs", __func__);
1570 bt_hci_event_complete_status(hci, HCI_COMMAND_DISALLOWED);
1571 break;
1572 }
1573 hci->lm.inquire = 0;
1574 timer_del(hci->lm.inquiry_done);
1575 timer_del(hci->lm.inquiry_next);
1576 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1577 break;
1578
1579 case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN):
1580 LENGTH_CHECK(create_conn);
1581
1582 if (hci->lm.connecting >= HCI_HANDLES_MAX) {
1583 bt_hci_event_status(hci, HCI_REJECTED_LIMITED_RESOURCES);
1584 break;
1585 }
1586 bt_hci_event_status(hci, HCI_SUCCESS);
1587
1588 if (bt_hci_connect(hci, &PARAM(create_conn, bdaddr)))
1589 bt_hci_connection_reject_event(hci, &PARAM(create_conn, bdaddr));
1590 break;
1591
1592 case cmd_opcode_pack(OGF_LINK_CTL, OCF_DISCONNECT):
1593 LENGTH_CHECK(disconnect);
1594
1595 if (bt_hci_handle_bad(hci, PARAMHANDLE(disconnect))) {
1596 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1597 break;
1598 }
1599
1600 bt_hci_event_status(hci, HCI_SUCCESS);
1601 bt_hci_disconnect(hci, PARAMHANDLE(disconnect),
1602 PARAM(disconnect, reason));
1603 break;
1604
1605 case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN_CANCEL):
1606 LENGTH_CHECK(create_conn_cancel);
1607
1608 if (bt_hci_lmp_connection_ready(hci,
1609 &PARAM(create_conn_cancel, bdaddr))) {
1610 for (i = 0; i < HCI_HANDLES_MAX; i ++)
1611 if (bt_hci_role_master(hci, i) && hci->lm.handle[i].link &&
1612 !bacmp(&hci->lm.handle[i].link->slave->bd_addr,
1613 &PARAM(create_conn_cancel, bdaddr)))
1614 break;
1615
1616 bt_hci_event_complete_conn_cancel(hci, i < HCI_HANDLES_MAX ?
1617 HCI_ACL_CONNECTION_EXISTS : HCI_NO_CONNECTION,
1618 &PARAM(create_conn_cancel, bdaddr));
1619 } else
1620 bt_hci_event_complete_conn_cancel(hci, HCI_SUCCESS,
1621 &PARAM(create_conn_cancel, bdaddr));
1622 break;
1623
1624 case cmd_opcode_pack(OGF_LINK_CTL, OCF_ACCEPT_CONN_REQ):
1625 LENGTH_CHECK(accept_conn_req);
1626
1627 if (!hci->conn_req_host ||
1628 bacmp(&PARAM(accept_conn_req, bdaddr),
1629 &hci->conn_req_host->bd_addr)) {
1630 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1631 break;
1632 }
1633
1634 bt_hci_event_status(hci, HCI_SUCCESS);
1635 bt_hci_connection_accept(hci, hci->conn_req_host);
1636 hci->conn_req_host = NULL;
1637 break;
1638
1639 case cmd_opcode_pack(OGF_LINK_CTL, OCF_REJECT_CONN_REQ):
1640 LENGTH_CHECK(reject_conn_req);
1641
1642 if (!hci->conn_req_host ||
1643 bacmp(&PARAM(reject_conn_req, bdaddr),
1644 &hci->conn_req_host->bd_addr)) {
1645 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1646 break;
1647 }
1648
1649 bt_hci_event_status(hci, HCI_SUCCESS);
1650 bt_hci_connection_reject(hci, hci->conn_req_host,
1651 PARAM(reject_conn_req, reason));
1652 bt_hci_connection_reject_event(hci, &hci->conn_req_host->bd_addr);
1653 hci->conn_req_host = NULL;
1654 break;
1655
1656 case cmd_opcode_pack(OGF_LINK_CTL, OCF_AUTH_REQUESTED):
1657 LENGTH_CHECK(auth_requested);
1658
1659 if (bt_hci_handle_bad(hci, PARAMHANDLE(auth_requested)))
1660 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1661 else {
1662 bt_hci_event_status(hci, HCI_SUCCESS);
1663 bt_hci_event_auth_complete(hci, PARAMHANDLE(auth_requested));
1664 }
1665 break;
1666
1667 case cmd_opcode_pack(OGF_LINK_CTL, OCF_SET_CONN_ENCRYPT):
1668 LENGTH_CHECK(set_conn_encrypt);
1669
1670 if (bt_hci_handle_bad(hci, PARAMHANDLE(set_conn_encrypt)))
1671 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1672 else {
1673 bt_hci_event_status(hci, HCI_SUCCESS);
1674 bt_hci_event_encrypt_change(hci,
1675 PARAMHANDLE(set_conn_encrypt),
1676 PARAM(set_conn_encrypt, encrypt));
1677 }
1678 break;
1679
1680 case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ):
1681 LENGTH_CHECK(remote_name_req);
1682
1683 if (bt_hci_name_req(hci, &PARAM(remote_name_req, bdaddr)))
1684 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1685 break;
1686
1687 case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ_CANCEL):
1688 LENGTH_CHECK(remote_name_req_cancel);
1689
1690 bt_hci_event_complete_name_cancel(hci,
1691 &PARAM(remote_name_req_cancel, bdaddr));
1692 break;
1693
1694 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_FEATURES):
1695 LENGTH_CHECK(read_remote_features);
1696
1697 if (bt_hci_features_req(hci, PARAMHANDLE(read_remote_features)))
1698 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1699 break;
1700
1701 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_EXT_FEATURES):
1702 LENGTH_CHECK(read_remote_ext_features);
1703
1704 if (bt_hci_handle_bad(hci, PARAMHANDLE(read_remote_ext_features)))
1705 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1706 else {
1707 bt_hci_event_status(hci, HCI_SUCCESS);
1708 bt_hci_event_read_remote_ext_features(hci,
1709 PARAMHANDLE(read_remote_ext_features));
1710 }
1711 break;
1712
1713 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_VERSION):
1714 LENGTH_CHECK(read_remote_version);
1715
1716 if (bt_hci_version_req(hci, PARAMHANDLE(read_remote_version)))
1717 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1718 break;
1719
1720 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_CLOCK_OFFSET):
1721 LENGTH_CHECK(read_clock_offset);
1722
1723 if (bt_hci_clkoffset_req(hci, PARAMHANDLE(read_clock_offset)))
1724 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1725 break;
1726
1727 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_LMP_HANDLE):
1728 LENGTH_CHECK(read_lmp_handle);
1729
1730
1731 bt_hci_event_complete_lmp_handle(hci, PARAMHANDLE(read_lmp_handle));
1732 break;
1733
1734 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_HOLD_MODE):
1735 LENGTH_CHECK(hold_mode);
1736
1737 if (PARAM16(hold_mode, min_interval) >
1738 PARAM16(hold_mode, max_interval) ||
1739 PARAM16(hold_mode, min_interval) < 0x0002 ||
1740 PARAM16(hold_mode, max_interval) > 0xff00 ||
1741 (PARAM16(hold_mode, min_interval) & 1) ||
1742 (PARAM16(hold_mode, max_interval) & 1)) {
1743 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1744 break;
1745 }
1746
1747 if (bt_hci_mode_change(hci, PARAMHANDLE(hold_mode),
1748 PARAM16(hold_mode, max_interval),
1749 acl_hold))
1750 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1751 break;
1752
1753 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_PARK_MODE):
1754 LENGTH_CHECK(park_mode);
1755
1756 if (PARAM16(park_mode, min_interval) >
1757 PARAM16(park_mode, max_interval) ||
1758 PARAM16(park_mode, min_interval) < 0x000e ||
1759 (PARAM16(park_mode, min_interval) & 1) ||
1760 (PARAM16(park_mode, max_interval) & 1)) {
1761 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1762 break;
1763 }
1764
1765 if (bt_hci_mode_change(hci, PARAMHANDLE(park_mode),
1766 PARAM16(park_mode, max_interval),
1767 acl_parked))
1768 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1769 break;
1770
1771 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_EXIT_PARK_MODE):
1772 LENGTH_CHECK(exit_park_mode);
1773
1774 if (bt_hci_mode_cancel(hci, PARAMHANDLE(exit_park_mode),
1775 acl_parked))
1776 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1777 break;
1778
1779 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_ROLE_DISCOVERY):
1780 LENGTH_CHECK(role_discovery);
1781
1782 if (bt_hci_handle_bad(hci, PARAMHANDLE(role_discovery)))
1783 bt_hci_event_complete_role_discovery(hci,
1784 HCI_NO_CONNECTION, PARAMHANDLE(role_discovery), 0);
1785 else
1786 bt_hci_event_complete_role_discovery(hci,
1787 HCI_SUCCESS, PARAMHANDLE(role_discovery),
1788 bt_hci_role_master(hci,
1789 PARAMHANDLE(role_discovery)));
1790 break;
1791
1792 case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_MASK):
1793 LENGTH_CHECK(set_event_mask);
1794
1795 memcpy(hci->event_mask, PARAM(set_event_mask, mask), 8);
1796 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1797 break;
1798
1799 case cmd_opcode_pack(OGF_HOST_CTL, OCF_RESET):
1800 bt_hci_reset(hci);
1801 bt_hci_event_status(hci, HCI_SUCCESS);
1802 break;
1803
1804 case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_FLT):
1805 if (length >= 1 && PARAM(set_event_flt, flt_type) == FLT_CLEAR_ALL)
1806 ;
1807 else
1808 LENGTH_CHECK(set_event_flt);
1809
1810
1811 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1812 break;
1813
1814 case cmd_opcode_pack(OGF_HOST_CTL, OCF_FLUSH):
1815 LENGTH_CHECK(flush);
1816
1817 if (bt_hci_handle_bad(hci, PARAMHANDLE(flush)))
1818 bt_hci_event_complete_flush(hci,
1819 HCI_NO_CONNECTION, PARAMHANDLE(flush));
1820 else {
1821
1822 bt_hci_event(hci, EVT_FLUSH_OCCURRED,
1823 &PARAM(flush, handle),
1824 EVT_FLUSH_OCCURRED_SIZE);
1825 bt_hci_event_complete_flush(hci,
1826 HCI_SUCCESS, PARAMHANDLE(flush));
1827 }
1828 break;
1829
1830 case cmd_opcode_pack(OGF_HOST_CTL, OCF_CHANGE_LOCAL_NAME):
1831 LENGTH_CHECK(change_local_name);
1832
1833 g_free((void *) hci->device.lmp_name);
1834 hci->device.lmp_name = g_strndup(PARAM(change_local_name, name),
1835 sizeof(PARAM(change_local_name, name)));
1836 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1837 break;
1838
1839 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_LOCAL_NAME):
1840 bt_hci_event_complete_read_local_name(hci);
1841 break;
1842
1843 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_CONN_ACCEPT_TIMEOUT):
1844 bt_hci_event_complete_read_conn_accept_timeout(hci);
1845 break;
1846
1847 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_CONN_ACCEPT_TIMEOUT):
1848
1849 LENGTH_CHECK(write_conn_accept_timeout);
1850
1851 if (PARAM16(write_conn_accept_timeout, timeout) < 0x0001 ||
1852 PARAM16(write_conn_accept_timeout, timeout) > 0xb540) {
1853 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1854 break;
1855 }
1856
1857 hci->conn_accept_tout = PARAM16(write_conn_accept_timeout, timeout);
1858 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1859 break;
1860
1861 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_SCAN_ENABLE):
1862 bt_hci_event_complete_read_scan_enable(hci);
1863 break;
1864
1865 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_SCAN_ENABLE):
1866 LENGTH_CHECK(write_scan_enable);
1867
1868
1869 hci->device.inquiry_scan =
1870 !!(PARAM(write_scan_enable, scan_enable) & SCAN_INQUIRY);
1871 hci->device.page_scan =
1872 !!(PARAM(write_scan_enable, scan_enable) & SCAN_PAGE);
1873 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1874 break;
1875
1876 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_CLASS_OF_DEV):
1877 bt_hci_event_complete_read_local_class(hci);
1878 break;
1879
1880 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_CLASS_OF_DEV):
1881 LENGTH_CHECK(write_class_of_dev);
1882
1883 memcpy(hci->device.class, PARAM(write_class_of_dev, dev_class),
1884 sizeof(PARAM(write_class_of_dev, dev_class)));
1885 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1886 break;
1887
1888 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_VOICE_SETTING):
1889 bt_hci_event_complete_voice_setting(hci);
1890 break;
1891
1892 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_VOICE_SETTING):
1893 LENGTH_CHECK(write_voice_setting);
1894
1895 hci->voice_setting = PARAM(write_voice_setting, voice_setting);
1896 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1897 break;
1898
1899 case cmd_opcode_pack(OGF_HOST_CTL, OCF_HOST_NUMBER_OF_COMPLETED_PACKETS):
1900 if (length < data[0] * 2 + 1)
1901 goto short_hci;
1902
1903 for (i = 0; i < data[0]; i ++)
1904 if (bt_hci_handle_bad(hci,
1905 data[i * 2 + 1] | (data[i * 2 + 2] << 8)))
1906 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1907 break;
1908
1909 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_INQUIRY_MODE):
1910
1911
1912
1913 bt_hci_event_complete_read_inquiry_mode(hci);
1914 break;
1915
1916 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_INQUIRY_MODE):
1917
1918
1919
1920 LENGTH_CHECK(write_inquiry_mode);
1921
1922 if (PARAM(write_inquiry_mode, mode) > 0x01) {
1923 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1924 break;
1925 }
1926
1927 hci->lm.inquiry_mode = PARAM(write_inquiry_mode, mode);
1928 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1929 break;
1930
1931 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_VERSION):
1932 bt_hci_read_local_version_rp(hci);
1933 break;
1934
1935 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_COMMANDS):
1936 bt_hci_read_local_commands_rp(hci);
1937 break;
1938
1939 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_FEATURES):
1940 bt_hci_read_local_features_rp(hci);
1941 break;
1942
1943 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_EXT_FEATURES):
1944 LENGTH_CHECK(read_local_ext_features);
1945
1946 bt_hci_read_local_ext_features_rp(hci,
1947 PARAM(read_local_ext_features, page_num));
1948 break;
1949
1950 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BUFFER_SIZE):
1951 bt_hci_read_buffer_size_rp(hci);
1952 break;
1953
1954 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_COUNTRY_CODE):
1955 bt_hci_read_country_code_rp(hci);
1956 break;
1957
1958 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BD_ADDR):
1959 bt_hci_read_bd_addr_rp(hci);
1960 break;
1961
1962 case cmd_opcode_pack(OGF_STATUS_PARAM, OCF_READ_LINK_QUALITY):
1963 LENGTH_CHECK(read_link_quality);
1964
1965 bt_hci_link_quality_rp(hci, PARAMHANDLE(read_link_quality));
1966 break;
1967
1968 default:
1969 bt_hci_event_status(hci, HCI_UNKNOWN_COMMAND);
1970 break;
1971
1972 short_hci:
1973 error_report("%s: HCI packet too short (%iB)", __func__, length);
1974 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1975 break;
1976 }
1977}
1978
1979
1980
1981
1982
1983static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle,
1984 const uint8_t *data, int start, int len)
1985{
1986 struct hci_acl_hdr *pkt = (void *) hci->acl_buf;
1987
1988
1989
1990
1991 if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) {
1992 error_report("%s: can't take ACL packets %i bytes long",
1993 __func__, len);
1994 return;
1995 }
1996 memcpy(hci->acl_buf + HCI_ACL_HDR_SIZE, data, len);
1997
1998 pkt->handle = cpu_to_le16(
1999 acl_handle_pack(handle, start ? ACL_START : ACL_CONT));
2000 pkt->dlen = cpu_to_le16(len);
2001 hci->info.acl_recv(hci->info.opaque,
2002 hci->acl_buf, len + HCI_ACL_HDR_SIZE);
2003}
2004
2005static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink,
2006 const uint8_t *data, int start, int len)
2007{
2008 struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
2009
2010 bt_hci_lmp_acl_data(hci_from_device(btlink->slave),
2011 link->handle, data, start, len);
2012}
2013
2014static void bt_hci_lmp_acl_data_host(struct bt_link_s *link,
2015 const uint8_t *data, int start, int len)
2016{
2017 bt_hci_lmp_acl_data(hci_from_device(link->host),
2018 link->handle, data, start, len);
2019}
2020
2021static void bt_submit_acl(struct HCIInfo *info,
2022 const uint8_t *data, int length)
2023{
2024 struct bt_hci_s *hci = hci_from_info(info);
2025 uint16_t handle;
2026 int datalen, flags;
2027 struct bt_link_s *link;
2028
2029 if (length < HCI_ACL_HDR_SIZE) {
2030 error_report("%s: ACL packet too short (%iB)", __func__, length);
2031 return;
2032 }
2033
2034 handle = acl_handle((data[1] << 8) | data[0]);
2035 flags = acl_flags((data[1] << 8) | data[0]);
2036 datalen = (data[3] << 8) | data[2];
2037 data += HCI_ACL_HDR_SIZE;
2038 length -= HCI_ACL_HDR_SIZE;
2039
2040 if (bt_hci_handle_bad(hci, handle)) {
2041 error_report("%s: invalid ACL handle %03x", __func__, handle);
2042
2043 return;
2044 }
2045 handle &= ~HCI_HANDLE_OFFSET;
2046
2047 if (datalen > length) {
2048 error_report("%s: ACL packet too short (%iB < %iB)",
2049 __func__, length, datalen);
2050 return;
2051 }
2052
2053 link = hci->lm.handle[handle].link;
2054
2055 if ((flags & ~3) == ACL_ACTIVE_BCAST) {
2056 if (!hci->asb_handle)
2057 hci->asb_handle = handle;
2058 else if (handle != hci->asb_handle) {
2059 error_report("%s: Bad handle %03x in Active Slave Broadcast",
2060 __func__, handle);
2061
2062 return;
2063 }
2064
2065
2066 }
2067
2068 if ((flags & ~3) == ACL_PICO_BCAST) {
2069 if (!hci->psb_handle)
2070 hci->psb_handle = handle;
2071 else if (handle != hci->psb_handle) {
2072 error_report("%s: Bad handle %03x in Parked Slave Broadcast",
2073 __func__, handle);
2074
2075 return;
2076 }
2077
2078
2079 }
2080
2081
2082 bt_hci_event_num_comp_pkts(hci, handle | HCI_HANDLE_OFFSET, 1);
2083
2084
2085 hci->lm.handle[handle].lmp_acl_data(link, data,
2086 (flags & 3) == ACL_START, length);
2087}
2088
2089static void bt_submit_sco(struct HCIInfo *info,
2090 const uint8_t *data, int length)
2091{
2092 struct bt_hci_s *hci = hci_from_info(info);
2093 uint16_t handle;
2094 int datalen;
2095
2096 if (length < 3)
2097 return;
2098
2099 handle = acl_handle((data[1] << 8) | data[0]);
2100 datalen = data[2];
2101 length -= 3;
2102
2103 if (bt_hci_handle_bad(hci, handle)) {
2104 error_report("%s: invalid SCO handle %03x", __func__, handle);
2105 return;
2106 }
2107
2108 if (datalen > length) {
2109 error_report("%s: SCO packet too short (%iB < %iB)",
2110 __func__, length, datalen);
2111 return;
2112 }
2113
2114
2115
2116
2117
2118
2119
2120}
2121
2122static uint8_t *bt_hci_evt_packet(void *opaque)
2123{
2124
2125 struct bt_hci_s *s = opaque;
2126
2127 return s->evt_buf;
2128}
2129
2130static void bt_hci_evt_submit(void *opaque, int len)
2131{
2132
2133 struct bt_hci_s *s = opaque;
2134
2135 s->info.evt_recv(s->info.opaque, s->evt_buf, len);
2136}
2137
2138static int bt_hci_bdaddr_set(struct HCIInfo *info, const uint8_t *bd_addr)
2139{
2140 struct bt_hci_s *hci = hci_from_info(info);
2141
2142 bacpy(&hci->device.bd_addr, (const bdaddr_t *) bd_addr);
2143 return 0;
2144}
2145
2146static void bt_hci_done(struct HCIInfo *info);
2147static void bt_hci_destroy(struct bt_device_s *dev)
2148{
2149 struct bt_hci_s *hci = hci_from_device(dev);
2150
2151 bt_hci_done(&hci->info);
2152}
2153
2154struct HCIInfo *bt_new_hci(struct bt_scatternet_s *net)
2155{
2156 struct bt_hci_s *s = g_malloc0(sizeof(struct bt_hci_s));
2157
2158 s->lm.inquiry_done = timer_new_ns(QEMU_CLOCK_VIRTUAL, bt_hci_inquiry_done, s);
2159 s->lm.inquiry_next = timer_new_ns(QEMU_CLOCK_VIRTUAL, bt_hci_inquiry_next, s);
2160 s->conn_accept_timer =
2161 timer_new_ns(QEMU_CLOCK_VIRTUAL, bt_hci_conn_accept_timeout, s);
2162
2163 s->evt_packet = bt_hci_evt_packet;
2164 s->evt_submit = bt_hci_evt_submit;
2165 s->opaque = s;
2166
2167 bt_device_init(&s->device, net);
2168 s->device.lmp_connection_request = bt_hci_lmp_connection_request;
2169 s->device.lmp_connection_complete = bt_hci_lmp_connection_complete;
2170 s->device.lmp_disconnect_master = bt_hci_lmp_disconnect_host;
2171 s->device.lmp_disconnect_slave = bt_hci_lmp_disconnect_slave;
2172 s->device.lmp_acl_data = bt_hci_lmp_acl_data_slave;
2173 s->device.lmp_acl_resp = bt_hci_lmp_acl_data_host;
2174 s->device.lmp_mode_change = bt_hci_lmp_mode_change_slave;
2175
2176
2177
2178
2179 s->device.lmp_caps = 0x8000199b7e85355fll;
2180
2181 bt_hci_reset(s);
2182
2183 s->info.cmd_send = bt_submit_hci;
2184 s->info.sco_send = bt_submit_sco;
2185 s->info.acl_send = bt_submit_acl;
2186 s->info.bdaddr_set = bt_hci_bdaddr_set;
2187
2188 s->device.handle_destroy = bt_hci_destroy;
2189
2190 error_setg(&s->replay_blocker, QERR_REPLAY_NOT_SUPPORTED, "-bt hci");
2191 replay_add_blocker(s->replay_blocker);
2192
2193 return &s->info;
2194}
2195
2196struct HCIInfo *hci_init(const char *str)
2197{
2198 char *endp;
2199 struct bt_scatternet_s *vlan = 0;
2200
2201 if (!strcmp(str, "null"))
2202
2203 return &null_hci;
2204 else if (!strncmp(str, "host", 4) && (str[4] == '\0' || str[4] == ':'))
2205
2206 return bt_host_hci(str[4] ? str + 5 : "hci0");
2207 else if (!strncmp(str, "hci", 3)) {
2208
2209 if (str[3]) {
2210 if (!strncmp(str + 3, ",vlan=", 6)) {
2211 vlan = qemu_find_bt_vlan(strtol(str + 9, &endp, 0));
2212 if (*endp)
2213 vlan = 0;
2214 }
2215 } else
2216 vlan = qemu_find_bt_vlan(0);
2217 if (vlan)
2218 return bt_new_hci(vlan);
2219 }
2220
2221 error_report("Unknown bluetooth HCI `%s'.", str);
2222
2223 return 0;
2224}
2225
2226static void bt_hci_done(struct HCIInfo *info)
2227{
2228 struct bt_hci_s *hci = hci_from_info(info);
2229 int handle;
2230
2231 bt_device_done(&hci->device);
2232
2233 g_free((void *) hci->device.lmp_name);
2234
2235
2236
2237
2238 if (hci->conn_req_host) {
2239 bt_hci_connection_reject(hci,
2240 hci->conn_req_host, HCI_OE_POWER_OFF);
2241 return;
2242 }
2243
2244 for (handle = HCI_HANDLE_OFFSET;
2245 handle < (HCI_HANDLE_OFFSET | HCI_HANDLES_MAX); handle ++)
2246 if (!bt_hci_handle_bad(hci, handle))
2247 bt_hci_disconnect(hci, handle, HCI_OE_POWER_OFF);
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258 timer_free(hci->lm.inquiry_done);
2259 timer_free(hci->lm.inquiry_next);
2260 timer_free(hci->conn_accept_timer);
2261
2262 g_free(hci);
2263}
2264
